All Products
Search
Document Center

Container Service for Kubernetes:Vulnerability CVE-2023-51699

Last Updated:Mar 25, 2024

The Fluid community recently discovered the vulnerability CVE-2023-51699. After attackers acquire permissions to create and modify Datasets and the JuiceFSRuntime, they can modify CustomResourceDefinitions (CRDs) to launch privilege escalation on the node where the JuiceFSRuntime is deployed. The CVE-2023-51699 vulnerability is rated as medium severity and its Common Vulnerability Scoring System (CVSS) score is 4.0.

Affected versions

Clusters that use ack-fluid 1.0.6 or earlier and use the JuicefsRuntime at the same time are affected.

Impacts

If attackers acquire permissions to create and modify Datasets and the JuiceFSRuntime, they may gain access to a Kubernetes worker node without authorization.

Solution

Update the ack-fluid component of your cluster to v1.0.7 or later. For more information about how to update ack-fluid, see [Component Updates] Update ack-fluid.

How to prevent